Skip to content
This repository has been archived by the owner on Dec 1, 2017. It is now read-only.
Permalink
Browse files Browse the repository at this point in the history
* libtiff/tif_next.c: fix potential out-of-bound write in NeXTDecode()
  • Loading branch information
erouault committed Dec 27, 2015
1 parent aaab5c3 commit b18012d
Show file tree
Hide file tree
Showing 2 changed files with 14 additions and 2 deletions.
6 changes: 6 additions & 0 deletions ChangeLog
@@ -1,3 +1,9 @@
2015-12-27 Even Rouault <even.rouault at spatialys.com>

* libtiff/tif_next.c: fix potential out-of-bound write in NeXTDecode()
triggered by http://lcamtuf.coredump.cx/afl/vulns/libtiff5.tif
(bugzilla #2508)

2015-12-27 Even Rouault <even.rouault at spatialys.com>

* libtiff/tif_luv.c: fix potential out-of-bound writes in decode
Expand Down
10 changes: 8 additions & 2 deletions libtiff/tif_next.c
Expand Up @@ -37,7 +37,7 @@
case 0: op[0] = (unsigned char) ((v) << 6); break; \
case 1: op[0] |= (v) << 4; break; \
case 2: op[0] |= (v) << 2; break; \
case 3: *op++ |= (v); break; \
case 3: *op++ |= (v); op_offset++; break; \
} \
}

Expand Down Expand Up @@ -106,6 +106,7 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize_t occ, uint16 s)
uint32 imagewidth = tif->tif_dir.td_imagewidth;
if( isTiled(tif) )
imagewidth = tif->tif_dir.td_tilewidth;
tmsize_t op_offset = 0;

/*
* The scanline is composed of a sequence of constant
Expand All @@ -122,10 +123,15 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize_t occ, uint16 s)
* bounds, potentially resulting in a security
* issue.
*/
while (n-- > 0 && npixels < imagewidth)
while (n-- > 0 && npixels < imagewidth && op_offset < scanline)
SETPIXEL(op, grey);
if (npixels >= imagewidth)
break;
if (op_offset >= scanline ) {
TIFFErrorExt(tif->tif_clientdata, module, "Invalid data for scanline %ld",
(long) tif->tif_row);
return (0);
}
if (cc == 0)
goto bad;
n = *bp++, cc--;
Expand Down

0 comments on commit b18012d

Please sign in to comment.